1. MANAGEMENT of
INFORMATION SECURITY
Second Edition

2. Learning Objectives
Upon completion of this chapter, you should be able to:
Understand basic project management
Apply project management principles to an information security program
Evaluate available project management tools
Learning Objectives:
Upon completion of this chapter you should be able to:
Understand basic project management
Apply project management principles to an information security program
Evaluate available project management tools
Management of Information Security, 2nd ed. - Chapter 12

3. Introduction
Information security is a process, not a project; however, each element of an information security program must be managed as a project, even if it is an ongoing one since information security is a continuous series, or chain, of projects
Some aspects of information security are not project based; rather, they are managed processes (operations)
Employers are seeking individuals that couple their information security focus and skills with strong project management skills
Introduction
Information security is a process, not a project.
However, each element of an information security program must be managed as a project, even if it is an ongoing one, so that all elements of the information security program are completed with quality deliverables, on a timely basis, and within budget.
While there is no guarantee that project management and organizational skills will be part of every information security analyst position description, there is much evidence that employers are seeking individuals that couple their information security focus and skills with strong project management skills.
Information security is a continuous series, or chain, of projects.
As the chain progresses, the security systems development life cycle (SecSDLC) guides the management of each individual project.
Some aspects of information security are not project based; rather, they are managed processes (operations)
Projects are discrete sequences of activities with starting points and defined completion points.
In other words, a “project is a temporary endeavor undertaken to create a unique product or service.”
Management of Information Security, 2nd ed. - Chapter 12

4. Figure 12-1 Position Posting
Management of Information Security, 2nd ed. - Chapter 12

5. Figure 12-2 The Information Security Program Chain
Management of Information Security, 2nd ed. - Chapter 12

6. Project Management
The Guide to the Project Management Body of Knowledge defines project management as:
The application of knowledge, skills, tools, and techniques to project activities to meet project requirements
Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing
Project management involves the temporary assemblage resources to complete a project
Some projects are iterative, and occur regularly
Project Management
The Guide to the Project Management Body of Knowledge defines project management as:
the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing.
Unlike ongoing operations, project management involves the temporary assemblage of a group that completes the project, and whose members are then released, and perhaps assigned to other projects.
Some projects are iterative, and occur regularly.
Benefits for organizations that make project management skills a priority include:
Implementation of a methodology—such as the SecSDLC—ensures that no steps are missed.
Creation of a detailed blueprint of project activities can serve as a common reference tool, and make all project team members more productive by shortening the learning curve when getting projects underway.
Identification of specific responsibilities for all involved personnel lessens ambiguity and reduces confusion when individuals are assigned to new or different projects.
Clear definition of project constraints, including time frame, budget, and minimum-quality requirements increases the likelihood that the project stays within them.
Established measures of performance and creation of project milestones simplify project monitoring.
Early identification of deviations in quality, time, or budget enables early correction
In general a project is deemed a success when:
It is completed on time or early as compared to the baseline project plan.
It comes in at or below the expenditures planned for in the baseline budget.
It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity.
Management of Information Security, 2nd ed. - Chapter 12

7. Project Management (continued)
Benefits for organizations that make project management skills a priority include:
Implementation of a methodology
Improved planning
Less ambiguity about roles
Simplified project monitoring
Early identification of deviations in quality, time, or budget
In general, a project is deemed a success when:
It is completed on time or early as compared to the baseline project plan
It comes in at or below the expenditures planned for in the baseline budget
It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity
Project Management
The Guide to the Project Management Body of Knowledge defines project management as:
the application of knowledge, skills, tools, and techniques to project activities to meet project requirements. Project management is accomplished through the use of processes such as: initiating, planning, executing, controlling, and closing.
Unlike ongoing operations, project management involves the temporary assemblage of a group that completes the project, and whose members are then released, and perhaps assigned to other projects.
Some projects are iterative, and occur regularly.
Benefits for organizations that make project management skills a priority include:
Implementation of a methodology—such as the SecSDLC—ensures that no steps are missed.
Creation of a detailed blueprint of project activities can serve as a common reference tool, and make all project team members more productive by shortening the learning curve when getting projects underway.
Identification of specific responsibilities for all involved personnel lessens ambiguity and reduces confusion when individuals are assigned to new or different projects.
Clear definition of project constraints, including time frame, budget, and minimum-quality requirements increases the likelihood that the project stays within them.
Established measures of performance and creation of project milestones simplify project monitoring.
Early identification of deviations in quality, time, or budget enables early correction
In general a project is deemed a success when:
It is completed on time or early as compared to the baseline project plan.
It comes in at or below the expenditures planned for in the baseline budget.
It meets all specifications as outlined in the approved project definition, and the deliverables are accepted by the end user and/or assigning entity.
Management of Information Security, 2nd ed. - Chapter 12

8. Applying Project Management to Security
In order to apply project management to information security, you must first identify an established project management methodology
While other project management approaches exist, the PMBoK is considered the industry best practice
Applying Project Management to Security
In order to apply project management to information security, you must first identify an established project management methodology.
While other project management approaches exist, the PMBoK is considered the industry best practice.
Management of Information Security, 2nd ed. - Chapter 12

9. Table 12-1 PMBoK Knowledge Areas
Management of Information Security, 2nd ed. - Chapter 12

10. Table 12-1 PMBoK Knowledge Areas (continued)
Management of Information Security, 2nd ed. - Chapter 12

11. Project Integration Management
Project integration management includes the processes required to ensure that effective coordination occurs within and between the project’s many components, including personnel
The major elements of the project management effort that require integration include:
Development of the initial project plan
Monitoring of progress as the project plan is executed
Control of the revisions to the project plan
Control of the changes made to resource allocations as measured performance causes adjustments to the project plan
Project Integration Management
Project integration management includes the processes required to ensure that effective coordination occurs within and between the project’s many components, including personnel.
The major elements of the project management effort that require integration include:
The development of the initial project plan
Monitoring of progress as the project plan is executed
Control of the revisions to the project plan
Control of the changes made to resource allocations as measured performance causes adjustments to the project plan
Management of Information Security, 2nd ed. - Chapter 12

12. Project Plan Development
Project plan development is the process of integrating all of the project elements into a cohesive plan with the goal of completing the project within the allotted work time, using no more than the allotted project resources
These three elements—work time, resources, and project deliverables—are core components used in the creation of the project plan
Changing any one element usually affects the accuracy and reliability of the estimates of the other two, and likely means that the project plan must be revised
Project Plan Development
Project plan development is the process of integrating all of the project elements into a cohesive plan with the goal of completing the project within the allotted work time using no more than the allotted project resources.
These three elements—work time, resources, and project deliverables—are core components used in the creation of the project plan.
Changing any one element usually affects the accuracy and reliability of the estimates of other two, and likely means that the project plan must be revised.
Management of Information Security, 2nd ed. - Chapter 12

13. Figure 12-3 Project Plan Inputs
Management of Information Security, 2nd ed. - Chapter 12

14. Project Plan Development (continued)
When integrating the disparate elements of a complex information security project, complications are likely to arise
Among these complications are:
Conflicts among communities of interest
Far-reaching impact
New technology
Project Plan Development
When integrating the disparate elements of a complex information security project, complications are likely to arise.
Among these complications are:
Conflicts among communities of interest - When business units or IT staff do not perceive the need or purpose of an information security project, they may not fully support the project.
Far-reaching impact - Many information security projects span the enterprise and may affect parts of the organization that may be opposed to the project.
New technology - a project may deploy technology-based controls that are new to the industry as well as new to the organization.
Management of Information Security, 2nd ed. - Chapter 12

15. Project Scope Management
Project scope management ensures that the project plan includes only those activities necessary to complete it
Scope is the quantity or quality of project deliverables expanding from the original plan
Includes:
Initiation
Scope planning
Scope definition
Scope verification
Scope change control
Project Scope Management
Project scope management includes the processes required to ensure that the project plan includes those activities—and only those activities—necessary to complete it.
Scope creep occurs when the quantity or quality of project deliverables is expanded from the original project plan.
The major processes of this stage include:
Initiation
Scope planning
Scope definition
Scope verification
Scope change control
Management of Information Security, 2nd ed. - Chapter 12

16. Project Time Management
Project time management ensures that the project is finished by the identified completion date while meeting objectives
The failure to meet project deadlines is among the most frequently cited failures in project management
Many missed deadlines are rooted in poor planning
Includes the following processes:
Activity definition
Activity sequencing
Activity duration estimating
Schedule development
Schedule control
Project Time Management
Project time management includes the processes required to ensure that the project is finished by the identified completion date while meeting its objectives.
The failure to meet project deadlines is one of the most frequently cited failures in project management.
Many missed deadlines are rooted in poor planning.
This area includes the following processes:
Activity definition
Activity sequencing
Activity duration estimating
Schedule development
Schedule control
Management of Information Security, 2nd ed. - Chapter 12

17. Project Cost Management
Project cost management ensures that a project is completed within the resource constraints
Some projects are planned using only a financial budget from which all resources must be procured
Includes the following processes:
Resource planning
Cost estimating
Cost budgeting
Cost control
Project Cost Management
Project cost management includes the processes required to ensure that a project is completed within the resource constraints placed upon it.
Some projects are planned using only a financial budget from which all resources must be procured, other are planned with no formal budget.
This management area includes the following processes:
Resource planning
Cost estimating
Cost budgeting
Cost control
Management of Information Security, 2nd ed. - Chapter 12

18. Project Quality Management
Project quality management ensures that the project adequately meets project specifications
If project deliverables meet requirements specified in the project plan, the project has met its quality objective
A good plan defines project deliverables in unambiguous terms against which actual results are easily compared
Includes:
Quality planning
Quality assurance
Quality control
Project Quality Management
Project quality management includes the processes required to ensure that the project adequately meets the project specifications.
If the project deliverables meet the requirements specified in the project plan, the project has met its quality objective; if they do not, it has not met its quality objectives.
A good plan defines project deliverables in unambiguous terms against which actual results are easily compared.
This focus of management includes:
Quality planning
Quality assurance
Quality control
Management of Information Security, 2nd ed. - Chapter 12

19. Project Human Resource Management
Project human resource management ensures personnel assigned to project are effectively employed
Staffing a project requires careful estimates of effort required
In information security projects, human resource management has unique complexities, including:
Extended clearances
Deploying technology new to the organization
Includes:
Organizational planning
Staff acquisition
Team development
Project Human Resource Management
Project human resource management includes the processes necessary to ensure the personnel assigned to a project are effectively employed.
Staffing a project requires careful estimates of the number of worker hours required.
In information security projects, human resource management has unique complexities, including:
Extended clearances may be required.
Often, information security projects deploy technology controls that are new to the organization, and so there is not a pool of resources skilled in that area from which to draw.
The major processes that take place in this management area include:
Organizational planning
Staff acquisition
Team development
Management of Information Security, 2nd ed. - Chapter 12

20. Project Communications Management
Project communications conveys details of activities associated with the project to all involved
Includes the creation, distribution, classification, storage, and ultimately destruction of documents, messages, and other associated project information
Includes:
Communications planning
Information distribution
Performance reporting
Administrative closure
Project Communications Management
Project communications management includes the processes necessary to convey the details of activities associated with the project to all involved parties.
This includes the creation, distribution, classification, storage, and ultimately destruction of documents, messages, and other associated project information.
The major processes associated with this area of project management include:
Communications planning
Information distribution
Performance reporting
Administrative closure
Management of Information Security, 2nd ed. - Chapter 12

21. Project Risk Management
Project risk management assesses, mitigates, manages, and reduces the impact of adverse occurrences on the project
Information security projects do face risks that may be different from other types of projects
Includes:
Risk identification
Risk quantification
Risk response development
Risk response control
Project Risk Management
Project risk management includes the processes necessary to assess, mitigate, manage, and reduce the impact of adverse occurrences on the project.
Information security projects do face risks that may be different from other types of projects.
The major processes involved in this area are:
Risk identification
Risk quantification
Risk response development
Risk response control
Management of Information Security, 2nd ed. - Chapter 12

22. Project Procurement Management
Project procurement acquires needed resources to complete the project
Depending on common practices of organization, project managers may simply requisition resources from organization, or they may have to purchase
Includes:
Procurement planning
Solicitation planning
Solicitation
Source selection
Contract administration
Contract closeout
Project Procurement Management
Project procurement management includes the processes necessary to acquire needed resources to complete the project.
Depending on the common practices of the organization, project managers may simply requisition resources from the organization, or they may have to purchase them.
The major processes involved in this area of project management are:
Procurement planning
Solicitation planning
Solicitation
Source selection
Contract administration
Contract closeout
Management of Information Security, 2nd ed. - Chapter 12

23. Additional Project Planning Considerations
Financial considerations
Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available
Priority considerations
In general, the most important information security controls in the project plan should be scheduled first
Time and scheduling considerations
Time can affect a project plan at dozens of points in its development
Additional Project Planning Considerations
Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available.
Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first.
Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development.
Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan.
Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization.
Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers.
Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change.
Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies.
Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence.
By managing the process of change the organization can:
Improve communication about change across the organization.
Enhance coordination among groups within the organization as change is scheduled and completed.
Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce.
Improve quality of service as potential failures are eliminated and groups work together.
Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security.
Management of Information Security, 2nd ed. - Chapter 12

24. Additional Project Planning Considerations (continued)
Staffing considerations
The lack of qualified, trained, and available personnel also constrains the project plan
Scope considerations
In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization
Organizational feasibility considerations
Another consideration is the ability of the organization to adapt to change
Management of Information Security, 2nd ed. - Chapter 12

25. Additional Project Planning Considerations (continued)
Procurement considerations
There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers
Training and indoctrination considerations
The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies
Additional Project Planning Considerations
Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available.
Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first.
Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development.
Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan.
Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization.
Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers.
Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change.
Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies.
Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence.
By managing the process of change the organization can:
Improve communication about change across the organization.
Enhance coordination among groups within the organization as change is scheduled and completed.
Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce.
Improve quality of service as potential failures are eliminated and groups work together.
Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security.
Management of Information Security, 2nd ed. - Chapter 12

26. Additional Project Planning Considerations (continued)
Technology governance and change control considerations
Technology governance is a complex process that organizations use to manage the effects and costs of technology implementation, innovation, and obsolescence
By managing the process of change, the organization can:
Improve communication about change across the organization
Enhance coordination among groups within the organization as change is scheduled and completed
Additional Project Planning Considerations
Financial Considerations – Regardless of the information security needs within the organization, the effort that can be expended depends on the funds available.
Priority Considerations – In general, the most important information security controls in the project plan should be scheduled first.
Time and Scheduling Considerations – Time can affect a project plan at dozens of points in its development.
Staffing Considerations – The lack of qualified, trained, and available personnel also constrains the project plan.
Scope Considerations – In addition to the difficulty of handling so many complex tasks at one time, there are interrelated conflicts between the installation of information security controls and the daily operations of the organization.
Procurement Considerations – There are a number of constraints on the selection process of equipment and services in most organizations, specifically in the selection of certain service vendors or products from manufacturers and suppliers.
Organizational Feasibility Considerations – Another consideration is the ability of the organization to adapt to change.
Training and Indoctrination Considerations – The size of the organization and the normal conduct of business may preclude a single large training program covering new security procedures or technologies.
Technology Governance and Change Control Considerations – Technology governance is a complex process that organizations use to manage the affects and costs of technology implementation, innovation, and obsolescence.
By managing the process of change the organization can:
Improve communication about change across the organization.
Enhance coordination among groups within the organization as change is scheduled and completed.
Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce.
Improve quality of service as potential failures are eliminated and groups work together.
Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security.
Management of Information Security, 2nd ed. - Chapter 12

27. Additional Project Planning Considerations (continued)
By managing the process of change, the organization can (continued):
Reduce unintended consequences by having a process to resolve potential conflicts and disruptions that uncoordinated change can introduce
Improve quality of service as potential failures are eliminated and groups work together
Assure management that all groups are complying with the organization’s policies regarding technology governance, procurement, accounting, and information security
Management of Information Security, 2nd ed. - Chapter 12

28. Controlling the Project
Once a project plan has been defined and all of the preparatory actions are complete, the project gets underway
Supervising implementation
The optimal approach is usually to designate a suitable person from the information security community of interest, because the focus is on the information security needs of the organization
Controlling the Project
Once a project plan has been defined and all of the preparatory actions are complete, the project gets underway.
Supervising Implementation
- The optimal approach is usually to designate a suitable person from the information security community of interest, because the focus is on the information security needs of the organization.
Management of Information Security, 2nd ed. - Chapter 12

29. Executing the Plan
Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop, which ensures that progress is measured periodically
Corrective action is required in two basic situations: the estimate is flawed or performance has lagged
When an estimate is flawed, as when an incorrect estimate of effort-hours is made, the plan should be corrected and downstream tasks should be updated to reflect the change
When performance has lagged, correction is accomplished by adding resources, lengthening the schedule, or reducing the quality or quantity of the deliverable
Executing the Plan
Once a project is underway, it is managed using a process known as a negative feedback loop or cybernetic loop, which ensures that progress is measured periodically.
Corrective action is required in two basic situations: the estimate is flawed, or performance has lagged.
When an estimate is flawed, as when an incorrect estimate of effort-hours is made, the plan should be corrected and downstream tasks updated to reflect the change.
When performance has lagged, correction is accomplished by adding resources, lengthening the schedule, or by reducing the quality or quantity of the deliverable.
Management of Information Security, 2nd ed. - Chapter 12

30. Figure 12-4 Negative Feedback Loop
Management of Information Security, 2nd ed. - Chapter 12

31. Executing the Plan
Often a project manager can adjust one of the three following planning parameters for the task being corrected:
Effort and money allocated
Elapsed time or scheduling impact
Quality or quantity of the deliverable
Executing the Plan
Often a project manager can adjust one of the three following planning parameters for the task being corrected:
Effort and money allocated
Elapsed time or scheduling impact
Quality or quantity of the deliverable
Management of Information Security, 2nd ed. - Chapter 12

32. Wrap-Up
Project wrap-up is usually a procedural task assigned to a mid-level IT or information security manager
These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting
The goal of the wrap-up is to resolve any pending issues, critique the overall effort, and draw conclusions about how to improve the process in future projects
Wrap-Up
Project wrap-up is usually a procedural task assigned to a mid-level IT or information security manager.
These managers collect documentation, finalize status reports, and deliver a final report and a presentation at a wrap-up meeting.
The goal of the wrap-up is to resolve any pending issues, critique the overall effort, and draw conclusions about how to improve the process in future projects.
Management of Information Security, 2nd ed. - Chapter 12

33. Conversion Strategies
Direct changeover: also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new
Phased implementation is the most common approach and involves rolling out a piece of the system across the entire organization
Pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization
Parallel operation involves running the new methods alongside the old methods
Conversion Strategies
Direct changeover; also known as going “cold turkey,” a direct changeover involves stopping the old method and beginning the new.
Phased implementation is the most common approach and involves rolling out a piece of the system across the entire organization.
Pilot implementation involves implementing all security improvements in a single office, department, or division, and resolving issues within that group before expanding to the rest of the organization.
Parallel operation involves running the new methods alongside the old methods.
Management of Information Security, 2nd ed. - Chapter 12

34. To Outsource or Not
Just as some organizations outsource part of or all of their IT operations, so too can organizations outsource part of or all of their information security programs, especially developmental projects
The expense and time it takes to develop effective information security project management skills may be beyond the reach—as well as the needs—of some organizations, and it is in their best interest to hire competent professional services
Because of the complex nature of outsourcing, organizations should hire the best available specialists, and then obtain capable legal counsel to negotiate and verify the legal and technical intricacies of the contract
To Outsource or Not
Just as some organizations outsource part of or all of their IT operations, so too can organizations outsource part of or all of their information security programs, especially developmental projects.
The expense and time it takes to develop effective information security project management skills may be beyond the reach—as well as the needs—of some organizations, and it is in their best interest to hire competent professional services.
Because of the complex nature of outsourcing, organizations should hire the best available specialists, and then obtain capable legal counsel to negotiate and verify the legal and technical intricacies of the contract.
Management of Information Security, 2nd ed. - Chapter 12

35. Dealing with Change
The prospect of change can cause employees to be unconsciously or consciously resistant
By understanding and applying change management, you can lower the resistance to change, and even build resilience for change
One of the oldest models of change management is the Lewin change model, which consists of:
Unfreezing - the thawing of hard and fast habits and established procedures
Moving - the transition between the old and new ways
Refreezing - the integration of the new methods into the organizational culture
Dealing with Change
The prospect of change can cause employees to be unconsciously or consciously resistant.
By understanding and applying change management, you can lower the resistance to change, and even build resilience for change.
One of the oldest models of change management is the Lewin change model, which consists of:
Unfreezing - the thawing of hard and fast habits and established procedures.
Moving - the transition between the old and new ways.
Refreezing - the integration of the new methods into the organizational culture.
Management of Information Security, 2nd ed. - Chapter 12

36. Unfreezing Phases Disconfirmation
Induction of survival guilt or survival anxiety
Creation of psychological safety or overcoming learning anxiety
Unfreezing Phases
Disconfirmation
Induction of survival guilt or survival anxiety
Creation of psychological safety or overcoming learning anxiety
Management of Information Security, 2nd ed. - Chapter 12

37. Moving Phases Cognitive redefinition
Imitation and positive or defensive identification with a role model
Scanning (also called insight, or trial-and-error learning)
Moving Phases
Cognitive redefinition
Imitation and positive or defensive identification with a role model
Scanning (also called insight, or trial-and-error learning)
Management of Information Security, 2nd ed. - Chapter 12

38. Refreezing
Personal refreezing occurs when each individual employee comes to an understanding that the new way of doing things is the best way
Relational refreezing occurs when a group comes to a similar decision
Refreezing
Personal refreezing occurs when each individual employee comes to an understanding that the new way of doing things is the best way.
Relational refreezing occurs when a group comes to a similar decision.
Management of Information Security, 2nd ed. - Chapter 12

39. Considerations for Organizational Change
Steps can be taken to make an organization more amenable to change
Reducing resistance to change from the start
Communication is the first and most crucial step
The updates should also educate employees on exactly how the proposed changes will affect them, both individually and across the organization
Involvement means getting key representatives from user groups to serve as members of the process
Considerations for Organizational Change
Steps can be taken to make an organization more amenable to change.
Reducing Resistance to Change from the Start-
Communication is the first and most crucial step.
The updates should also educate employees on exactly how the proposed changes will affect them, both individually and across the organization.
Involvement means getting key representatives from user groups to serve as members of the process.
Management of Information Security, 2nd ed. - Chapter 12

40. Developing a Culture that Supports Change
An ideal organization fosters resilience to change
This resilience means the organization accepts that change is a necessary part of the culture, and that embracing change is more productive than fighting it
To develop such a culture, the organization must successfully accomplish many projects that require change
A resilient culture can be either cultivated or undermined by management’s approach
Developing a Culture that Supports Change
An ideal organization fosters resilience to change.
This resilience means the organization accepts that change is a necessary part of the culture, and that embracing change is more productive than fighting it.
To develop such a culture, the organization must successfully accomplish many projects that require change.
A resilient culture can be either cultivated or undermined by management’s approach.
Management of Information Security, 2nd ed. - Chapter 12

41. Project Management Tools
There are many tools that support the management of the diverse resources in complex projects
Most project managers combine software tools that implement one or more of the dominant modeling approaches
The most successful project managers gain sufficient skill and experience to earn a certificate in project management
The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs:
The Project Management Professional (PMP)
Certified Associate in Project Management (CAPM)
Project Management Tools
There are many tools that support the management of the diverse resources in complex projects. Most project managers combine software tools that implement one or more of the dominant modeling approaches.
The most successful project managers gain sufficient skill and experience to earn a certificate in project management.
The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs:
The Project Management Professional (PMP)
Certified Associate in Project Management (CAPM)
Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project.
Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work.
The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis.
Management of Information Security, 2nd ed. - Chapter 12

42. Project Management Tools (continued)
Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project
Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work
The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis
Project Management Tools
There are many tools that support the management of the diverse resources in complex projects. Most project managers combine software tools that implement one or more of the dominant modeling approaches.
The most successful project managers gain sufficient skill and experience to earn a certificate in project management.
The Project Management Institute (PMI) is project management’s leading global professional association, and sponsors two certificate programs:
The Project Management Professional (PMP)
Certified Associate in Project Management (CAPM)
Most project managers engaged in the execution of project plans that are nontrivial in scope use tools to facilitate scheduling and execution of the project.
Using complex project management tools often results in a complication called “projectitis,” which occurs when the project manager spends more time documenting project tasks, collecting performance measurements, recording project task information, and updating project completion forecasts than accomplishing meaningful project work.
The development of an overly elegant, microscopically detailed plan before gaining consensus for the work and related coordinated activities that it requires may be a precursor to projectitis.
Management of Information Security, 2nd ed. - Chapter 12

43. Work Breakdown Structure
A project plan can be created using a very simple planning tool, such as the work breakdown structure (WBS)
In the WBS approach, the project plan is first broken down into a few major tasks
Each of these major tasks is placed on the WBS task list
Work Breakdown Structure
A project plan can be created using a very simple planning tool, such as the work breakdown structure (WBS).
In the WBS approach, the project plan is first broken down into a few major tasks. Each of these major tasks is placed on the WBS task list.
Management of Information Security, 2nd ed. - Chapter 12

44. Work Breakdown Structure (continued)
The minimum attributes that should be determined for each task are:
The work to be accomplished (activities and deliverables)
Estimated amount of effort required for completion in hours or workdays
The common or specialty skills needed to perform the task
Task interdependencies
Work Breakdown Structure
The minimum attributes that should be determined for each task are:
The work to be accomplished (activities and deliverables)
Estimated amount of effort required for completion in hours or workdays
The common or specialty skills needed to perform the task
Task interdependencies
As the project plan develops, additional attributes can be added, including:
Estimated capital expenses for the task
Estimated noncapital expenses for the task
Task assignment according to specific skills
Start and end dates, once tasks have been sequenced and dates projected
Work To Be Accomplished - The first step in the WBS is to identify the work to be accomplished in the task or task area. This encompasses both activities and deliverables.
Amount of Effort - Planners need to estimate the effort required to complete each task, subtask, or action step.
Skill Sets/Human Resources - The project planner should describe the skill set or individual (often called a human resource) needed to accomplish the task. Instead of assigning individuals, the plan should focus on roles or known skill sets.
Task Dependencies - Planners should note wherever possible when a task or action step is dependent upon other tasks or actions steps.
Estimated Capital Expenses - Planners need to estimate the expected capital expenses for the completion of each task, subtask, or action item.
Estimated Noncapital Expenses - Planners need to estimate the expected noncapital expenses for the completion of each task, subtask, or action item.
Start and End Dates - In the early stages of planning, the project planner should focus on determining completion dates only for major milestones within the project. A milestone is a specific task completion point in the project plan that has a noticeable effect on the progress of the project plan as a whole.
Management of Information Security, 2nd ed. - Chapter 12

45. Work Breakdown Structure (continued)
As the project plan develops, additional attributes can be added, including:
Estimated capital expenses for the task
Estimated noncapital expenses for the task
Task assignment according to specific skills
Start and end dates
Work to be accomplished
Amount of effort
Skill sets/human resources
Task dependencies
Work Breakdown Structure
As the project plan develops, additional attributes can be added, including:
Estimated capital expenses for the task
Estimated noncapital expenses for the task
Task assignment according to specific skills
Start and end dates, once tasks have been sequenced and dates projected
Work To Be Accomplished - The first step in the WBS is to identify the work to be accomplished in the task or task area. This encompasses both activities and deliverables.
Amount of Effort - Planners need to estimate the effort required to complete each task, subtask, or action step.
Skill Sets/Human Resources - The project planner should describe the skill set or individual (often called a human resource) needed to accomplish the task. Instead of assigning individuals, the plan should focus on roles or known skill sets.
Task Dependencies - Planners should note wherever possible when a task or action step is dependent upon other tasks or actions steps.
Estimated Capital Expenses - Planners need to estimate the expected capital expenses for the completion of each task, subtask, or action item.
Estimated Noncapital Expenses - Planners need to estimate the expected noncapital expenses for the completion of each task, subtask, or action item.
Start and End Dates - In the early stages of planning, the project planner should focus on determining completion dates only for major milestones within the project. A milestone is a specific task completion point in the project plan that has a noticeable effect on the progress of the project plan as a whole.
Management of Information Security, 2nd ed. - Chapter 12

46. Work Phase
Once the project manager has completed the WBS by breaking tasks into subtasks, estimating effort, and forecasting the necessary resources, the work phase—during which the project deliverables are prepared—may begin
Next Step
Once the project manager has completed the WBS by breaking tasks into subtasks, estimating effort, and forecasting the necessary resources, the work phase—during which the project deliverables are prepared—may begin.
Management of Information Security, 2nd ed. - Chapter 12

47. Table 12-2 Early Draft WBS
Management of Information Security, 2nd ed. - Chapter 12

48. Table 12-2 Early Draft WBS (continued)
Management of Information Security, 2nd ed. - Chapter 12

49. Table 12-3 Later Draft WBS
Management of Information Security, 2nd ed. - Chapter 12

50. Task-Sequencing Approaches
Once a project reaches even a relatively modest size, say a few dozen tasks, there can be almost innumerable possibilities for task assignment and scheduling
A number of approaches are available to assist the project manager in this sequencing effort
Task-Sequencing Approaches
Once a project reaches even a relatively modest size, say a few dozen tasks, there can be almost innumerable possibilities for task assignment and scheduling.
A number of approaches are available to assist the project manager in this sequencing effort.
Management of Information Security, 2nd ed. - Chapter 12

51. Network Scheduling
One method for sequencing tasks and subtasks in a project plan is known as network scheduling
Network refers to the web of possible pathways to project completion from the beginning task to the ending task
Network Scheduling
One method for sequencing tasks and subtasks in a project plan is known as network scheduling. “Network” refers to the web of possible pathways to project completion from the beginning task to the ending task.
Management of Information Security, 2nd ed. - Chapter 12

52. Figure 12-5 Simple Network Dependency
Management of Information Security, 2nd ed. - Chapter 12

53. Figure 12-6 Complex Network Dependency
Management of Information Security, 2nd ed. - Chapter 12

54. Program Evaluation and Review Technique (PERT)
PERT, the most popular networking dependency diagramming techniques, was originally developed in the late 1950s to meet the needs of rapidly expanding government-driven engineering projects
About the same time, a similar project, called the Critical Path Method, was being developed in industry
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity:
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
PERT
The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects.
About the same time, a similar project, called the Critical Path Method, was being developed in industry.
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity:
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project.
As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole.
Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay.
There are several advantages to the PERT method:
Makes planning large projects easier by facilitating the identification of pre- and post- activities
Allows planning to determine the probability of meeting requirements
Anticipates the impact of changes on the system
Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions
Requires no formal training.
Disadvantages of the PERT method include:
Diagrams can become awkward and cumbersome, especially in very large projects.
Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes.
Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations.
Management of Information Security, 2nd ed. - Chapter 12

55. Program Evaluation and Review Technique (PERT) (continued)
By determining the path through the various activities, you can determine the critical path
As each possible path through the project is analyzed, the difference in time between the critical path and any other path is the slack time
An indication of how much time is available for starting a noncritical task without delaying the project as a whole
Should a delay be introduced, due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay
PERT
The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects.
About the same time, a similar project, called the Critical Path Method, was being developed in industry.
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity:
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project.
As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole.
Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay.
There are several advantages to the PERT method:
Makes planning large projects easier by facilitating the identification of pre- and post- activities
Allows planning to determine the probability of meeting requirements
Anticipates the impact of changes on the system
Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions
Requires no formal training.
Disadvantages of the PERT method include:
Diagrams can become awkward and cumbersome, especially in very large projects.
Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes.
Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations.
Management of Information Security, 2nd ed. - Chapter 12

56. PERT Advantages There are several advantages to the PERT method:
Makes planning large projects easier by facilitating the identification of pre- and post-activities
Allows planning to determine the probability of meeting requirements
Anticipates the impact of changes on the system
Presents information in a straightforward format that both technical and nontechnical managers can understand and refer to in planning discussions
Requires no formal training
PERT
The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects.
About the same time, a similar project, called the Critical Path Method, was being developed in industry.
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity:
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project.
As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole.
Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay.
There are several advantages to the PERT method:
Makes planning large projects easier by facilitating the identification of pre- and post- activities
Allows planning to determine the probability of meeting requirements
Anticipates the impact of changes on the system
Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions
Requires no formal training.
Disadvantages of the PERT method include:
Diagrams can become awkward and cumbersome, especially in very large projects.
Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes.
Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations.
Management of Information Security, 2nd ed. - Chapter 12

57. PERT Disadvantages Disadvantages of the PERT method include:
Diagrams can become awkward and cumbersome, especially in very large projects
Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes
Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations
PERT
The most popular of networking dependency diagramming techniques is the Program Evaluation and Review Technique (PERT), originally developed in the late 1950s to meet the needs of the rapidly expanding government-driven engineering projects.
About the same time, a similar project, called the Critical Path Method, was being developed in industry.
It is possible to take a very complex operation and diagram it in PERT if you can answer three key questions about each activity:
How long will this activity take?
What activity occurs immediately before this activity can take place?
What activity occurs immediately after this activity?
By determining the path through the various activities, you can determine the critical path - the sequence of events or activities that requires the longest duration to complete – and thus the series of events or activities that cannot be delayed without delaying the entire project.
As each possible path through the project is analyzed, the difference in time between the critical path and any other path - slack time - an indication of how much time is available for starting a noncritical task without delaying the project as a whole.
Should a delay be introduced, whether due to poor estimation of time, unexpected events, or the need to reassign resources to other paths such as the critical path, the tasks with slack time are the logical candidates for delay.
There are several advantages to the PERT method:
Makes planning large projects easier by facilitating the identification of pre- and post- activities
Allows planning to determine the probability of meeting requirements
Anticipates the impact of changes on the system
Presents information in a straightforward format that both technical and non-technical managers can understand and refer to in planning discussions
Requires no formal training.
Disadvantages of the PERT method include:
Diagrams can become awkward and cumbersome, especially in very large projects.
Diagrams can become expensive to develop and maintain, due to the complexities of some project development processes.
Can be difficult to place an accurate “time to complete” on some tasks, especially in the initial construction of a project; inaccurate estimates invalidate any close critical path calculations.
Management of Information Security, 2nd ed. - Chapter 12

58. Figure 12-7 PERT Example
Management of Information Security, 2nd ed. - Chapter 12

59. Gantt Chart
Another popular project management tool is the bar or Gantt chart, named for Henry Gantt, who developed this method in the early 1900s
Like network diagrams, Gantt charts are easy to read and understand, and thus easy to present to management
These simple bar charts are even easier to design and implement than the PERT diagrams, and yield much of the same information
The Gantt chart lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis
Gantt Chart
Another popular project management tools is the bar or Gantt chart, named for Henry Gantt, who developed this method in the early 1900s.
Like network diagrams, Gantt charts are easy to read and understand, and thus easy to present to management.
These simple bar charts are even easier to design and implement than the PERT diagrams, and yield much of the same information.
The Gantt chart lists activities on the vertical axis of a bar chart, and provides a simple time line on the horizontal axis.
Management of Information Security, 2nd ed. - Chapter 12

60. Figure 12-8 Project Gantt Chart
Management of Information Security, 2nd ed. - Chapter 12

61. Automated Project Tools
Microsoft Project is a widely used project management tool
If you’re considering using an automated project management tool, keep the following in mind:
A software program cannot take the place of a skilled and experienced project manager who understands how to define tasks, allocate scarce resources, and manage the resources that are assigned
A software tool can get in the way of the work
Choose a tool that you can use effectively
Automated Project Tools
Microsoft Project is a commonly used project management tool.
If you’re considering using an automated project management tool, keep the following in mind:
A software program cannot take the place of a skilled and experienced project manager who understands how to define tasks, allocate scarce resources, and manage the resources that are assigned.
A software tool can get in the way of the work.
Choose a tool that you can use effectively.
Management of Information Security, 2nd ed. - Chapter 12

62. Summary Introduction Project Management
Applying Project Management to Security
Project Management Tools
Management of Information Security, 2nd ed. - Chapter 12